Fraud Management & Cybercrime , Ransomware

Black Basta Ransomware Group Retools for Strategic Attacks

Social Engineering Moves Mirror Nation-State Groups' Tactics, Researchers Say
Black Basta Ransomware Group Retools for Strategic Attacks
Image: Shutterstock

The Black Basta ransomware group has been refining social engineering tactics to amass more victims despite escalating law enforcement disruptions, experts say.

See Also: 57 Tips to Secure Your Organization

The group has moved beyond a botnet-driven focus on malware distribution to focus on tricking targets through carefully planned social engineering campaigns - displaying tactics more often seen in nation-state hacking, says a report from threat intelligence firm RedSense.

"This evolution shows Black Basta's deliberate progression from opportunistic attacks to strategic, long-term planning" and a more refined mix of "technical and social tactics," says the report, written by Yelisey Bohuslavskiy, partner and chief research officer at RedSense.

Black Basta's recently seen techniques "include email bombing - a tactic used to send a large volume of spam emails - to aid social engineering over Microsoft Teams and trick victim end users into providing initial access via remote monitoring and management tools," said the U.S. Cybersecurity and Infrastructure Security Agency in a recent alert.

The CISA alert came after cybersecurity firm ReliaQuest reported last month that Black Basta was using "escalated social engineering tactics." Previously, it tied the group to attacks involving "overwhelming users with email spam," sometimes amounting to 1,000 emails sent to a single user in just 50 minutes.

Attackers would contact targets pretending to be a help desk responding the all-but-certain ticket filed by targets, ReliaQuest said. Attackers' goal was to trick the victim into installing a loader that ran Black Basta ransomware on their system.

The group appears to have escalated that approach by using the email bombing campaigns followed by adding targets to external Microsoft Teams chat messages, some of which incorporated malicious QR codes designed to install malware, while still pretending to be help desk specialists, ReliaQuest said.

The firm said tenants hosting the Microsoft Teams conversations typically followed a domain naming convention involving *.onmicrosoft.com, including cybersecurityadmin.onmicrosoft.com and supportserviceadmin.onmicrosoft.com.

Focus on Partnerships

Google's Mandiant incident response group in July said the group behind Black Basta, which it tracks as UNC4393 and describes as financially motivated, appears to be the exclusive user of its ransomware, which it calls Basta.

Unlike traditional ransomware as a service, "Basta is not publicly marketed and its operators do not appear to actively recruit affiliates to deploy the ransomware," Mandiant said. "Instead, they focus on acquiring initial access via partnerships or purchases in underground communities. This deviates from traditional RaaS models, which focus on ransomware development and related services such as the data leak site that are provided to affiliates in exchange for directly distributing the ransomware."

Mandiant said UNC4393 from early 2022 appeared to almost only ever distribute Basta ransomware through Qakbot infections, at least until the FBI disrupted that infrastructure in 2023. From then on, the group began testing other backdoors, including malware with information-stealing capabilities.

Conti Diaspora

Black Basta is one of groups that directly spun out or formed from the wake of the dissolution of Conti. That high-flying group's leadership publicly backed Moscow's war of conquest against Ukraine, which turned out to be a disastrous business decision for a Russia-based gang relying on Western victims to pay it for decryptors and promises to not leak stolen data. Victims nearly overnight ceased paying Conti extortion demands.

At least six smaller groups spun out from Conti, including BlackBasta, Quantum - aka Royal - and Silent Ransom, RedSense has reported. Other groups associated with Conti or its membership have included Alphv, aka BlackCat; AvosLocker; Hive; and HelloKitty, aka FiveHands (see: Is Ransomware Finally in Decline? Groups Are 'Struggling').

Since that diaspora, Black Basta has emerged as "the most centralized and disciplined" of the Conti spinoffs, which strongly suggests they may be working with the Russian state hacking groups or intelligence handlers, displaying a strong focus on legal, technology and manufacturing sectors, rather than most groups' mostly opportunistic focus, RedSense said (see: Targets of Opportunity: How Ransomware Groups Find Victims).

Unusually Focused Targeting

Based on details of who Black Basta has been targeting, as well as internal group chatter, RedSense said the ransomware operation appears to be highly focused on targeting very specific victims. "Unlike other groups who often rely on opportunistic hits, Black Basta has continued to conduct long-planned, targeted attacks on European and U.S. critical infrastructure and the military-industrial complex, showing a level of coordination and intent beyond mere chance."

The firm said this focus is not reflected in the non-paying victims the group chooses to post on its data-leak site, "which cannot be considered valid victimology data" (see: Ransomware Groups' Data Leak Blogs Lie: Stop Trusting Them).

While the threat-intelligence firm has published no smoking gun tying Black Basta to Russian law enforcement or intelligence organs, any such connection would be in keeping with its progenitor. Conti's leader, known as "Stern," appeared to have close ties to Russia's Federal Security Service, known as the FSB.

That revelation arrived in early 2022, when a Ukrainian security researcher took revenge on Conti's public backing of President Vladimir Putin's decision to launch his all-out war of conquest against the country. The researcher infiltrated and leaked extensive information tied to the criminal operation, including internal chat logs, victim lists and addresses for cryptocurrency wallet addresses containing over 65,000 bitcoins, then worth $1.4 billion.

The leaks also revealed that the Russian cybercrime enterprise was staffed by about 200 full-time employees and structured like a legitimate business, with an HR department, groups of open source intelligence and cybercrime specialists, and R&D teams focused on finding innovative new ways to extort victims.

Security experts say Moscow continues to at least tolerate cybercrime groups, including ransomware operations, if not task them directly, to serve as a deniable asset against adversaries.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.in, you agree to our use of cookies.